Tag Archives: data protection regulation

Commissioner Viviane Reding intervened in the Justice Council on March 8, 2013, on matters related to the adoption of the Data Protection Regulations. She referred among other things to the issue of pseudonymous data, saying that incentives should be created for companies to use such data instead of the names of the data subject. Nevertheless, Reding insisted that it should always be kept in mind that pseudonymous data is personal data and that it should be subject in general to the data protection legal regime.

Reding:

“Anonymous data is easy to deal with. It is outside the scope of the instrument. There is no risk. The Commission’s proposal makes this clear.

Pseudonymous data is more difficult. I understand the principle. We should encourage companies to use pseudonyms rather than the actual names of persons. This makes sense. It is in the interest of citizens. For pseudonyms to be used, you need to create incentives. Lighter obligations on privacy by design or on notification of breaches are candidates.

The inclusion of a notion of pseudonymous data has also been suggested by the European Parliament’s Rapporteur, Jan-Philipp Albrecht. This demonstrates that there is convergence between the Council and the Parliament on key elements of this file.

But I would sound a note of caution: Pseudonymous data is personal data. It relates to an identified or identifiable natural person and has to be protected under the Charter and EU law. Risks to privacy remain and are real. A single piece of data such as an email address can create a link between a very accurate profile and a person. It is particularly important to keep this in mind since pseudonymous data is often used in the health sector.

So I am happy to work on the notion of pseudonymous data but I will be vigilant. We need a robust definition and robust safeguards. Pseudonymous data must not become a Trojan horse at the heart of the Regulation, allowing the non-application of its provisions.”

edri.org writes that the United States authorities have produced another lobbying document to influence the European Union’s decision making on European citizens’ fundamental right to privacy and data protection.

Strangely, the document itself is not on headed paper and contains no authorship information. All of the lobbying documents produced so far have been in support of the positions taken by large US corporations and the adoption of US-style weak privacy protections in Europe.

Much of the joint US-government and corporation lobbying has centred on the misunderstanding or misrepresentation that the proposed legislation constitutes a huge revolution, rather than, for the most part, a reiteration of existing principles – improving implementation of legislation that has often been wilfully ignored, to the detriment of European citizens’ rights. The latest US document maintains this unfortunate trend.

Political comedy

The document explains that privacy should not be approached as a “legal harmonization exercise” but instead “interoperability of frameworks” as this is what the United States and EU have “always done”. In other policy areas, however, the USA has no problems with imposing its will on other countries. For example, the United States keeps a so-called Special 301 “watch list” of countries that fail, in its view, to maintain adequate levels of protection of “intellectual property” rights andthreatens those countries with sanctions if they do not follow the orders of the United States.

Political rhetoric

Instead of reasoned argument, the document launches straight into a bizarre range of desperate and groundless claims about how the proposals are going to lead to terrorism, financial meltdown and… the last refuge of the…(read the rest of the story HERE).

Derek Mooney (public affairs director of the Brussels European Employee Relations Group – BEERG – ) writes for Euractiv.eu that contrary to what the EU Commission asserts, if the proposed General Data Protection Regulation is adopted with Article 82 as it stands, it will result in significant extra costs for all European business.

More precisely, if the GDPR is adopted with the Art 82 provision then business will have the “patchwork of 27 different rules in 27 countries” plus the additional obligations and burdens set out in the GDPR such as data protections officers; consent rules and 2% penalty on annual turnover without access to the costs savings the Commission claims.

So far from saving business €2.3 billion, this measure will cost business money EU wide – at a time when EU national governments are committing themselves to reducing employment costs.

BEERG research shows that at a conservative estimate the employee- data related data provisions alone could add €3 billion each year in additional costs on business.

Article 82 of the GDPR excludes the area of employee data from the EU wide “one stop shop” by specifically providing that each member state shall also be empowered to regulate in this area.

Christopher Wolf, who co-chairs the Future of Privacy Forum, wrote an article on the state of the art in data protection and privacy law at the beginning of 2013, pointing out the main developments in the field of last year and sketching what could happen in the year that just began.

The article focuses on the European developments in the data protection legal regime, as “what happens in the EU has an impact on multinational organizations operating across borders, and on the evolution of privacy frameworks around the world.”

Wolf writes about the main critiques the Regulation in its entirety faces, emerging especially from UK and also from France, but also discusses topical issues, such as “the right to be forgotten”.

In November 2012, Europe’s Network and Information Security Agency (ENISA), released a report on the technical aspects of the “right to be forgotten”. ENISA pointed out that any technical solution for the “right to be forgotten” would require an unambiguous definition of the personal data that is covered by the “right to be forgotten”, a clear notion of who can enforce the right, and a mechanism for balancing the “right to be forgotten” against other rights such as freedom of expression. According to the Report, the text of the current European proposal leaves each of these subjects open to debate, making it difficult to implement technical mechanisms to deal with the “right to be forgotten”.

European Data Protection Supervisor, Peter Hustinx, is spoke at a March 27 event organized by American Chamber of Commerce in France and sponsored by Hogan Lovells.

The main ideas of his speech:

Main reasons for the need of a new data protection regulation:

1. there is a need to update the current framework

2. the current framework have given rise to increasing diversity, complexity and we have ended up with 27 versions of same basic principles and that is simply too much

3. a new constitutional institutional framework, the Lisbon Treaty, that entered into force with a strong emphasis among fundamental rights, among them the right to data protection

The new regulation is stronger, more effective, more consistent and more comprehensive.

The exchange of data from private to public sectors is increasing, and will have some practical consequences [this is why the EDPS criticizes the new Directive destined for the judicial collection of data].

Ideas about the Regulation:

1. in spite of all the innovations, there is a lot of continuity; all the basic concepts will continue to exist.

2. innovation comes mainly in making it work in practice, by strengthening the role of the people.

3. data subject’s rights have been confirmed and extended; there is more emphasis in transparency.

4. the biggest emphasis is on the responsibility of big organizations

5. Legal security has been enhanced. There is an enormous amount of simplification.

6. The international dimensions of this regulation: The scope of the regulation has been clarified and extended. This provisions apply when from outside, a third country, services are delivered on the European market or when the behavior of Europeans is monitored. I think this is a realistic approach.

Overall, it is very welcomed proposal. The criticism I issued relates more to the directive.

The EDPS “welcomes the proposed Regulation as it constitutes a huge step forward for data protection in Europe” and “is particularly pleased to see that the instrument of a regulation is proposed for the general rules on data protection”.

However The EDPS is “seriously disappointed with the proposed Directive for data protection in the law enforcement area. The EDPS regrets that the Commission has chosen to regulate this matter in a self-standing legal instrument which provides for an inadequate level of protection, which is greatly inferior to the proposed Regulation”. That is an interesting point of view.

The greatest weakness is considered to be the perpetuation of “the lack of comprehensiveness of the EU data protection rules”. The EDPS considers the reform package “leaves many EU data protection instruments unaffected such as the data protection rules for the EU institutions and bodies, but also all specific instruments adopted in the area of police and judicial cooperation in criminal matters such as the Prüm Decision and the rules on Europol and Eurojust.

Furthermore, the proposed instruments taken together do not fully address factual situations which fall under both policy areas, such as the use of PNR or telecommunication data for law enforcement purposes”.

I was writing yesterday how EU will oblige all the public institutions and the big companies to appoint a data protection officer through the new data protection regulation. Now we’ll have a look on the tasks the data protection officer will have to accomplish.

According to Article 36 of the proposed regulation, the data protection officer will have to:

– inform and advise the controller or the processor of their obligations pursuant to the Regulation and to document this activity and the responses received

– monitor the implementation and application of the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, the training of staff involved in the processing operations, and the related audits

– monitor the implementation and application of the Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under the Regulation

– ensure that the documentation referred to in Article 28 is maintained

– monitor the performance of the data protection impact assessment by the controller or processor and the application for prior authorisation or prior consultation

– monitor the response to requests from the supervisory authority, and, within the sphere of the data protection officer’s competence, co-operating with the supervisory authority at the latter’s request or on the data protection officer’s own initiative

– act as the contact point for the supervisory authority on issues related to the processing and consult with the supervisory authority, if appropriate, on his/her own initiative.

These tasks are provided for in the regulation but they are considered as a minimum level of specialized activity. The tasks of the data protection officer are subject to two possible enlargements: one coming from the controller or processor, and another one coming directly from the European Commission. In this respect, paragraph 2 of Article 36 provides that “The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for tasks, certification, status, powers and resources of the data protection officer referred to in paragraph 1“.

The data protection reform in the EU is serious. So serious, the European Union actually imposes through the new regulation a mandatory data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring.

There is an entire section (Section 4 of Chapter IV) in the proposed regulation dedicated to the “data protection officer”. It builds on Article 18(2) of Directive 95/46/EC which provided the possibility for Member States to introduce such requirement as a surrogate of a general notification requirement.

According to Article 35 of the proposed regulation, a data protection officer shall be designated in the following cases:

– when the processing is carried out by a public authority or body;

– when the processing is carried out by an enterprise employing 250 persons or more;

– the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.

The Regulation, at Article 35(5) also imposes strict characteristics for the person who will be designated data protection officer, as he or she must be appointed “on the basis of “professional qualities and, in particular, expert knowledge of data protection”. By which we understand that companies and public institutions are not allowed to simply name one of their current employees in such a position, unless the current employee receives adequate qualifications in the data protection field.

Article 35(7) establishes a minimum period of employment to 2 years, while Article 35(10) states that data subjects shall have the right to contact the data protection officer on all issues related to the processing of the data subject’s data and to request exercising the rights under this Regulation.

A quite independent position

The data protection officer will enjoy as much independence as possible in the context of an employment relationship. As such, Article 36(2) imposes to the controller or processor to “ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor”.

These developments are huge in the data protection field and they show that EU takes as serious as possible the threats of intruding in individuals’ private life by a weak protection of their personal data.

Tomorrow I’ll write about the specific tasks a data protection officer will have, according to the proposed regulation.

First of all, before analyzing the content of the reform, it’s important to underline that EC chose to draft a Regulation and not a Directive. Regulations have binding force for all the Member States and they don’t need implementation laws in the domestic systems! This means that once the Data Protection Regulation enters into force, it will enter into force in all the Member States and all the Member States will have identical data protection rules! Directives, on the other hand, were binding only regarding the purpose they provide, Member States being able to chose the way they wished to implement their provisions. This will not be the case for the new European data protection system.

Regarding the content of the reform, I am absolutely convinced that a lot of comments will be made in the forthcoming months. I did not have time to study it in detail, but I have seen that the much expected “right to be forgotten” is a part of the legislative proposal.

More precisely, Article 17 of the regulation provides the data subject’s right to be forgotten and to erasure. “It further elaborates and specifies the right of erasure provided for in Article 12(b) of Directive 95/46/EC and provides the conditions of the right to be forgotten, including the obligation of the controller which has made the personal data public to inform third parties on the data subject’s request to erase any links to, or copy or replication of that personal data. It also integrates the right to have the processing restricted in certain cases, avoiding the ambiguous terminology “blocking””, as shown in the document released today.

“Article 18 introduces the data subject’s right to data portability, i.e. to transfer data from one electronic processing system to and into another, without being prevented from doing so by the controller. As a precondition and in order to further improve access of individuals to their personal data, it provides the right to obtain from the controller those data in a structured and commonly used electronic format.”

I have also seen that most of the existing data subject’s rights were modified with the purpose of strengthening them.

I will return to the topic in the next days. Until then, here are some very useful links:

Wordpress.com uses cookies on this blog. I've limited them as much as customization allows me & I have no access to or control over the personal data they collect. Consent will be recorded after you click the button, and not just by mere scrolling. The widget doesn't provide an "I refuse" button & I'm writing to Wordpress to fix this. In the meantime, see their
Cookie Policy